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Abstract. The paper presents new criteria for bijectivity /transitivity of T- 
functions and a fast knapsack-like algorithm of evaluation of a T-function. Our 
approach is based on non-Archimedean ergodic theory: Both the criteria and 
algorithm use van der Put series to represent 1-Lipschitz p-adic functions and 
to study measure-preservation/ergodicity of these. 



1. Introduction 

For years linear feedback shift registers (LFSRs) over a 2-element field F2 have 
been one of the most important building blocks in keystream generators of stream 
ciphers. LFSRs can easily be designed to produce binary sequences of the longest 
period (that is, of length 2*^ — 1 for a fc-cell LFSR over F2); LFSRs are fast and 
easy to implement both in hardware and in software. However, sequences produced 
by LFSRs have linear dependencies that make easy to analyse the sequences to 
construct attacks on the whole cipher. To make output sequences of LFSRs more 
secure these linear dependencies must be destroyed by a properly chosen filter; this 
is the filter that carries the major cryptographical load making the whole cipher 
secure. 

T-functions were found to be useful tools to design fast cryptographic primitives 
and ciphers based on usage of both arithmetic (addition, multiplication) and logical 
operations, see[M[l3[ll[2l[2ll[23[2i[23[22[2i|3Zl[l3ffl Loosely 
speaking, a T-function is a map of fc-bit words into fc-bit words such that each i-th 
bit of image depends only on low-order bits 0, i of the pre-image. Various meth- 
ods are known to construct bijective T-functions as well as transitive T-functions 
(the latter are the ones that produce sequences of the longest possible period, 2'^), 
see[lia[2l[T3li[3[a|2i|3ll[2a[2ll[23l|25l|T5]. Transitive T-functions have been 
considered as a candidate to replace LFSRs in keystream generators of stream ci- 
phers, see e.g. [131 ESI [HI [HI 1371 ED] since sequences produced by T-function-based 
keystream generators are proved to have a number of good cryptographic proper- 
ties, e.g., high linear and 2-adic complexity, uniform distribution of subwords, etc., 
see [H [28l [H [50]. Bijective T-functions can be used to design filter functions of 
stream ciphers, see [HI^IT^. 
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The main purpose of this paper is to provide new criteria for bijeetivity /transitivity 
of T- functions; so Theorems |6] and [7] are main resuhs of the paper. In our opinion, 
these new criteria might be better appUcable to T-functions that are represented 
via compositions of standard computer instructions on representation of T-functions 
via additions of some non-negative constants. What is important, the representa- 
tion can be used to evahiate a T-function via a knapsack-hke algorithm: Assuming 
the constants are stored in memory, to calculate a value of an arbitrary T-function 
on a k-bit word, one needs only not more than k calls to memory and not more 
than fc — 1 additions modulo 2^ of k-bit numbers. Thus, representations of that 
sort could be used in design of various high-performance cryptographic primitives: 
keystream generators, filter functions, cipher combiners (Latin squares) and fast 
stream ciphers as a whole. 

The representation is based on van der Put series, special convergent series from 
p-adic analysis; that is why the p-adic analysis (and p-adic ergodic theory) are main 
mathematical tools we use in the paper: To determine bijeetivity /transitivity of a 
given T-function, we represent it via van der Put series (j6|) and apply accordingly 
Theorems [6] and/or [7l We stress that given a T-function combined from basic com- 
puter instructions, 'normally' it is easier to represent it via van der Put series than 
via Mahler series (or via coordinate functions ipi to use criteria based on algebraic 
normal forms, see Subsection l2.4p : moreover, once the T-function is represented via 
van der Put series, it is much faster to evaluate it compared to representation via 
Mahler series or via coordinate functions. 

The van der Put series may also play an important role in a study of linear 
dependencies among coordinate sequences (the ones produced by the mentioned 
coordinate functions ipi) of a transitive T-function. Although given a 'randomly 
chosen' T-function, its coordinate sequences produced by ^pi and ijjj should be 
considered as 'independent' once i ^ j (meaning the first half-periods of these 
sequences are independent Boolean vectors, cf. [4, Theorem 11.26]), this is not the 
case for large classes of transitive T-functions: There are linear relations between 
any two adjacent coordinate sequences in Klimov-Shamir T-functions [38' '39' , in 
polynomials with integer coefficients [49] . and in T-functions that are uniformly 
differentiable modulo 4, [43l|44]. The latter class is currently the largest known class 
where transitive T-functions exhibit linear relations between adjacent coordinate 
sequences. Therefore an important problem is to characterize transitive T-functions 
that exhibit no linear dependencies between adjacent coordinate sequences as the 
said linear relations may result in attacks against T- function-based ciphers, [44j . 
Van der Put series might be an adequate tool in a study of the problem as with the 
use of the series one can handle 'non-smooth' T-functions (whence, the ones which 
are not uniformly differentiable modulo 4). We note however that the mentioned 
study is a future work whose subject is outside the scope of the current paper. 

It is worth noticing here that the p-adic ergodic theory which is exploited in 
the current paper constitutes an important part of non- Archimedean (and wider, 
of algebraic) dynamics, a rapidly developing mathematical discipline that recently 
demonstrated its effectiveness in application to various sciences: computer science, 
cryptology, physics, molecular biology, cognitive sciences, genetics, artificial intel- 
ligence, image processing, numerical analysis and modelling, etc. Due to a huge 
number of papers in the area, we can mention only some monographs here to enable 
the interested reader to find relevant references therein: [H [191 IHl HO] . 
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The paper is organized as follows: 

• In Section [5] we give a brief survey of non- Archimedean theory of T- 
functions: history, state of the art, main notions and results. 

• In Section [3] we prove the said criteria for bijectivity/transitivity of T- 
functions in terms of van der Put series. 

• Using the transitivity criterion, in Section we give two examples of er- 
godic T-functions which are composed of additions and maskings. Also 
we explain how to use the bijectivity criterion in order to construct huge 
classes of large Latin squares and introduce a fast knapsack-like algorithm 
of evaluation of a T-function represented by van der Put series. 

• We conclude in Section [5l 

2. Non-Archimedean theory of T-functions: brief survey 

In this Section, we introduce basics of what can be called the non- Archimedean 
approach to T-functions. For the full theory see monograph [4] or expository paper 
[2]. We start with a definition of a T-function and show that T-functions can be 
treated as continuous functions defined on and valued in the space of 2-adic inte- 
gers. Therefore we introduce basics of 2-adic arithmetic and of 2-adic Calculus that 
we will need to state and prove our main results. There are many comprehensive 
monographs on p-adic numbers and p-adic analysis that contain all necessary def- 
initions and proofs, see e.g. [27 1 l36 l l42 ] or introductory chapters in [4/, so further 
in the Section we introduce 2-adic numbers in a somewhat informal manner. 

2.1. T-functions. An n-variate triangular function (a T-function for short) is a 
mapping 

(ai, a\, . . .) (a^) , $| (a^, aj) , $^ (a^, a^, a^) , . . .) , 

where e is a Boolean columnar n-dimensional vector; F2 — {0,1} is a 2- 
element field, and 

(F'2')*+^ ^ F^' 

maps (j + 1) Boolean columnar n-dimensional vectors Uq, . . . ,af to m-dimensional 
columnar Boolean vector $^ ^Q^o, • ■ • , ctj^ ■ Accordingly, a univariate T-function / 
is a mapping 

(1) (xo,xi,X2,--.) ^-> (?Ao(xo); V'i(xo,xi);V'2(xo,xi,X2); ■ • 

where Xj £ {0, 1}, and each ipjixo, • ■ • 1 Xj) is a Boolean function in Boolean vari- 
ables • ■ • : Xi- T-functions may be viewed as mappings from non- negative inte- 
gers to non- negative integers: e.g., a univariate T-function / sends a number with 
the base-2 expansion 

Xo + XI • 2 + X2 • 2^ + • • • 
to the number with the base-2 expansion 

V'o(xo) + V'llxoiXi) • 2 V'2(xo,Xi,X2) • 2^ H 

Further in the paper we refer to these Boolean functions "00: V'l: ^^2, ■ • ■ as coor- 
dinate functions of a T-function /. If we restrict T-functions to the set of all 
numbers whose base-2 expansions are not longer than fc, we sometimes refer these 
restrictions as T-functions on k-bit words. Thus, we may consider the restriction 
of a (univariate) T-function / on fc-bit words as a transformation / mod 2^ of the 
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residue ring Z/2''Z modulo 2*^ as every residue r G can be associated to a 

base- 2 expansion of a non- negative integer from {0,1, ...,2'^ — 1}. 
Important examples of T-functions are basic machine instructions: 

• integer arithmetic operations (addition, multiplication,. . . ); 

• bitwise logical operations (OR, XDR, AND, NOT); 

• some of their compositions (masking with mask to, MASK(-, m) — ■ AND to; 
£-hit shifts towards higher order bits, -2^; reduction modulo 2'^, ■ mod 2'^ = 
■ AND (2'= - 1)). 

Since obviously a composition of T-functions is a T-function (for instance, any 
polynomial with integer coefficients is a T-function), the T-functions are natural 
transformations of binary words that can be performed by digital computers. That 
is the main reason why T-functions have attracted attention of cryptographic com- 
munity: T-functions may be used to construct new cryptographic primitives that 
are suitable for software implementations. For this purpose, given a T-function 
/ and a bitlength k, it is important to determine whether the mapping / mod 2'' 
is bijective (that is, invertible) or transitive (that is, a permutation with a single 
cycle). 

Although in cryptology the term "T-function" was suggested only in 2002, by 
Klimov and Shamir, see |22j . in mathematics these mappings were known (however, 
under other names) long before 2002, and various effective criteria were proved to 
determine bijectivity and/or transitivity of T-functions. Some of these criteria were 
published in 1994 by the first author of the paper, see [5]; the criteria are based 
on 2-adic ergodic theory and use representation of a T-function / in the form of 
Mahler series ([S]). However, in some cases to represent given T-function in this 
form may be a difficult mathematical task by itself; that is why a variety of criteria 
is needed to handle T-functions represented as compositions of various computer 
instructions (we give a brief survey of known criteria in Subsection 12. 4|) . 

2.2. Brief history of T-functions. As said, in cryptology the term "T-function" 
was suggested only in 2002, in mathematics the mappings we refer to as T-functions 
have being studied more than half a century. 

In automata theory, Yablonsky et. al. studied the so-called determinate func- 
tions since 1950-th, see |47| . Actually, a determinate function is a function that 
can be represented by an automaton: Consider an automaton with a binary input 
and binary output; then the automaton transforms each infinite input string of 0-s 
and 1-s into infinite output string of 0-s and 1-s (we suppose that the initial state 
of the automaton is fixed). Note that every outputted i-th bit depends only on the 
inputted i-th bit and on the current state of the automaton. However, the current 
state depends only on the previous state and on the (i — l)-th input bit. Hence, 
for every i = 1,2,..., the i-th outputted bit depends only on bits 1, 2, . . . , i of the 
input string, and so the transformation of all infinite binary strings performed by 
the automaton is a T-function. The p-adic approach in automata theory goes back 
to the work of Lunts [3S] of 1965. 

We note here that Yablonsky and his succeeders were mostly interested in such 
properties of determinate functions as completeness of various systems of functions, 
various methods how to construct an automaton that represents the given function, 
etc. It is worth noticing also that determinate functions were studied in a more 
general setting, for arbitrary if-letter inputs/outputs, cf. [47] or recent works [lOl 
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\TT\ and references therein. It is worth noticing here that in [10] (as weU as in the 
current paper) van der Put series is the main tooL 

T-functions were also studied in algebra, and also in much more general setting: 
T-functions are a special case of the so-called compatible mappings; namely, any 
T-function on A:- bit words is a compatible mapping of a residue ring modulo 2*"'. 

Recall that a transformation f : A A oi a,n algebraic system A (that is, of a 
set endowed with operations w £ fi) is called compatible whenever / agrees with 
all congruences of A; that is, /(a) ^ f{b) whenever a ^ b, where '--^ is a congruence 
of A. Recall that a congruence ~ is an equivalence relation that agrees with all 
operations uj of A: cij(ai, . . . , a^) ~ i^ibi, • • ■ , 6r) whenever ai bi, i — 1,2, ... ,r, 
r is the arity of It is obvious that a compatible transformation of the residue 
ring Z/2''Z modulo 2*= is a T-function on fc-bit words (under a natural one-to-one 
correspondence between and Z/2'''Z, when an fc-bit word from is considered 
as a base-2 expansion of the corresponding integer): In the case when A = Z/2'''Z 
is a residue ring modulo 2'^' the compatibility of / yields 

a = b (mod 2") =^ f{a) = f(b) (mod 2*), 

for all s < fc, which is merely an equivalent definition of a (univariate) T-function 
on fc-bit words. For further results on compatible functions on rings and other 
algebras see monograph [32 and references therein. 

Since the early 1990-th the non-Archimedean theory of T-functions emerged, 
which treated T-functions as continuous transformations of the space Z2 of 2-adic 
integers and studied corresponding dynamics. The first publications in this area 
were [5] and [12] ; the importance of T-functions for pseudorandom generation and 
cryptology was explicitly stated in these papers as well. Within that theory, it 
was demonstrated that T-functions are continuous transformations with respect to 
2-adic metric, and that bijectivity (resp., transitivity) of T-functions correspond 
to measure preservation (resp., ergodicity) of these continuous transformations. 
This approach supplies a researcher with a number of effective tools from the non- 
Archimedean (actually, 2-adic) analysis to determine whether a given T-function is 
bijective or transitive, to study distribution and structure of output sequences, to 
construct wide classes of T-functions with prescribed properties, etc. We use this 
approach in the present paper. 

We note that the theory was developed in a more general setting, for arbitrary 
prime p, and not necessarily for p = 2, which corresponds to the case of T-functions. 
In the paper, we are mostly interested in the case p — 2\ however, we prove corre- 
sponding results for arbitrary prime p where possible. 

Last, but not least: T-functions under the name of triangular Boolean mappings 
were studied in the theory of Boolean functions. Within this theory there were 
obtained important criteria for invertibility/transitivity of a T-function, in terms of 
coordinate Boolean functions V'O) V'l) V'2, • • •• The criteria belongs to mathematical 
folklore circulating at least since 1970-th among mathematicians dealing with the 
theory of Boolean functions; unfortunately the author of these important criteria 
is not known. To the best of our knowledge, the first quotation of these folklore 
criteria in literature occurred in 1994, see [S] Lemma 4.8]: As it is clearly marked 
in the mentioned paper, the said Lemma is just a re-statement of these well-known 
criteria. We reproduce these folklore criteria below, see Theorem [21 
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2.3. T-functions, 2-adic integers, and p-adic analysis. As it follows directly 
from the definition, any T-function is well-defined on the set Z2 of all infinite 

binary sequences . . . S2{x)6i{x)So{x) = x, where 5j{x) € F2 = {0, 1}, j = 0, 1, 2, 

Arithmetic operations (addition and multiplication) with these sequences can be 
defined via standard "school-tcixtbook" algorithms of addition and multiplication 
of natural numbers represented by base-2 expansions. Each term of a sequence that 
corresponds to the sum (respectively, to the product) of two given sequences can 
be calculated by these algorithms within a finite number of steps. 

Thus, Z2 is a commutative ring with respect to the addition and multiplication 
defined in this manner. The ring Z2 is called the ring of 2-adic integers. The ring 
Z2 contains a subring Z of all rational integers: For instance, . . . Ill = —1. 

Moreover, the ring Z2 contains all rational numbers that can be represented by ir- 
reducible fractions with odd denominators. For instance, . . . 01010101 x . . .00011 = 
. . . Ill, i.e., . . . 01010101 = -1/3 since . . . 00011 = 3 and ... Ill = -1. 

Sequences with only a finite number of 1-s correspond to non-negative rational 
integers in their base-2 expansions, sequences with only a finite number of 0-s 
correspond to negative rational integers, while eventually periodic sequences (that 
is, sequences that become periodic from a certain place) correspond to rational 
numbers represented by irreducible fractions with odd denominators: For instance, 
3 = ...00011, -3 = ...11101, 1/3 = ...10101011, -1/3 = ...1010101. So the 
j-th term 5j{u) of the corresponding sequence u € Z2 is merely the j-th digit of 
the base-2 expansion of u whenever u is a non-negative rational integer, u gNq = 
{0,1,2,...}. 

What is important, the ring Z2 is a metric space with respect to the metrics 
(distance) d2{u, v) defined by the following rule: d2{u, v) = \u — v\2 = 1/2", where n 
is the smallest non- negative rational integer such that 5„(m) (5„(w), and d2{u, v) = 
if no such n exists (i.e., if w = v). For instance ^2(3, 1/3) = 1/8. The function 
d2{u,0) = \u\2 is a 2-adic absolute value of the 2-adic integer u, and ord2M = 

— log2 \u\2 is a 2-adic valuation of u. Note that for m S Z the valuation ord2 u is 
merely the exponent of the highest power of 2 that divides u (thus, loosely speaking, 
ord2 = 00; so |0|2 = 0). This means, in particular, that 

(2) \a - b\2 < 2-^ if and only if a = b (mod 2'=) 

for a,b gZ. Using this equivalence, one can expand the map mod 2*^ (the reduction 
modulo 2'') to the whole space Z2, obtaining a T-function • mod 2*^ = - AND (2'^ — 1) 
that is defined everywhere on Z2; so further we use both (equivalent) notations 
\a - b\2 < 2~'' and a = b (mod 2*^) for arbitrary a,b G Z2. 

It is easy to see that the metric ^2 satisfies the strong triangle inequality: 

(3) |a + 6|2 <max{|a|2,|6|2}, 

for all a, & € Z2. Metric spaces of this kind are called ultrametric spaces, or non- 
Archimedean metrics spaces; the latter due to the fact that in ultrametric spaces 
the Archimedean Axiom does not hold. 

Once the metric is defined, one defines notions of convergent sequences, limits, 
continuous functions on the metric space, and derivatives if the space is a commuta- 
tive ring. For instance, with respect to the so defined metric ^2 on Z2 the sequence 
1, 3, 7, .... 2' — 1, .. . (or, in base-2 expansion, the sequence 1, 11, 111, . . . ) tends to 

— 1 = ... 111. Bitwise logical operators (such as XOR, AND, . . . ) define continuous 
functions in two variables. 
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Reduction modulo 2" of a 2-adic integer v, i.e., setting all terms of the corre- 
sponding sequence with indices greater than n — 1 to zero (that is, taking the first 
n digits in the representation of v) is just an approximation of a 2-adic integer v 
by a rational integer with precision 1/2": This approximation is an n-digit positive 
rational integer v AND (2" — 1); the latter will be denoted also as v mod 2". 

Actually a processor operates with approximations of 2-adic integers with respect 
to 2-adic metrics: When the overflow happens, i.e., when a number that must be 
written into an rt-bit register consists of more than n significant bits, the processor 
just writes only n low order bits of the number into the register thus reducing the 
number modulo 2". Thus, the accuracy of the approximation is defined by the 
bitlength of machine words of the processor. 

What is the most important within the scope of the paper is that all T-functions 
are continuous functions of 2-adic variables, since all T-functions satisfy Lipschitz 
condition with a constant 1 with respect to the 2-adic metrics, and vice versa. 

Indeed, it is obvious that the function /: Z2 — > Z2 satisfies the condition \f{u) — 
/('t')|2 < |u — f|2 for all u, w G Z2 if and only if / is compatible, since the inequality 
\a ~ b\2 < 1/2*^ is just equivalent to the congruence a = b (mod 2*^). A similar 
property holds for multivariate T-functions. So we conclude: 

T-functions = compatible functions — 1 -Lipschitz functions 

The observation we just have made implies that the non- Archimedean (namely, 
the 2-adic) analysis can be used in the study of T-functions. For instance, one can 
prove that the following functions satisfy Lipschitz condition with a constant 1 and 
thus are T-functions (so we can use them in compositions to construct PRNGs): 

• subtraction, — : (u, v) 1-^ u — v; 

• exponentiation, '[': (u,v) 1-^ v ^ {1 + 2u)'", and in particular raising to 
negative powers, u t (— w) = (1 + 2ii)^^'; 

• division, //: m // u = u • (w t (-1)) = + 2v). 

We summarize: 

• T-functions on n-bit words are approximations of 2-adic compatible func- 
tions (i.e., 1-Lipschitz functions) with precision 2~" w.r.t. the 2-adic met- 
ric: That is, a T-function on n-bit words is just a reduction modulo 2" of 
a 2-adic 1-Lipschitz function. 

• To study properties of T-functions one can use 2-adic analysis , since com- 
patible functions are continuous w.r.t. the 2-adic metric. 

• In addition to the basic machine instructions, to construct T-functions one 
can use also subtraction, division by an odd integer, raising an odd integer 
to a certain power. 

All these considerations after proper modifications remain true for arbitrary 
prime p, and not only for p = 2, thus resulting the notion of the p-adic integer 
and in respective p-adic analysis. For formal introduction to p-adic analysis, exact 
notions and results see any relevant book, e.g. p71 155] . 

2.4. The 2-adic ergodic theory and bijectivity/transitivity of T-functions. 

Now we describe the connections between bijectivity/transitivity of T-functions and 
the 2-adic ergodic theory. We first recall some basic notions of dynamics and of 
ergodic theory (which is a part of dynamics). 
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A dynamical system on a measure space § is a triple (§; /i; /), where § is a set 
endowed with a measure fi, and / :§—>§ is a measurable function; that is, an /- 
preimage of any measurable subset is a measurable subset. These basic definitions 
from dynamical system theory, as well as the following ones, can be found in I30j : 
see also |17| as a comprehensive monograph on various aspects of dynamical systems 
theory. 

A trajectory (or, orbit) is a sequence 

XQ,xi = f{xo), ...,Xi^ f{xi-i) = r{xo), . . . 

of points of the space §, xo is called an initial point of the trajectory. If : § — s> T 
is a measurable mapping to some other measurable space T with a measure v (that 
is, if an i^-preimage of any i/-measurable subset of T is a /i-measurable subset of 
§), the sequence F{xo), F{xi), F{x2), ■ ■ ■ is called an observable. Note that the 
trajectory formally looks like the sequence of states of a pseudorandom generator 
while the observable resembles the output sequence. 

A mapping F: § ^ Y of a measure space S into a measure space Y endowed with 
probability measures /i and v, respectively, is said to be measure preserving (or, 
sometimes, equiprobable) whenever /i(_F~^(5)) — v{S) for each measurable subset 
5 C Y. In the case § = Y and fj, — v, a, measure preserving mapping F is said to 
be ergodic whenever for each measurable subset S such that F^^{S) = S one has 
either /i(S') = 1 or n{S) = 0. 

Recall that to define a measure fi on some set S we should assign non-negative 
real numbers to some subsets that are called elementary. All other measurable 
subsets are compositions of these elementary subsets with respect to countable 
unions, intersections, and complements. 

Elementary measurable subsets in Z2 are balls B2-fc(a) — a + 2''"Z2 of radii 2~'' 
centered at a G Z2 (that is, co-sets with respect to the ideal 2'^Z2 of the ring Z2, 
generated by 2'"'). To each ball we assign a number /i2(B2-fc(a)) = 1/2'"'. This way 
we define the probability measure /i2 on the space Z2, /i2(Z2) = 1- The measure /i2 
is a (normalized) Haar measure on Z2. The normalized Haar measure on Zj can 
be defined in a similar manner. 

To put it in other words, a ball a + 2''"Z2 (of radius 2~'^) is just a set of all 2-adic 
integers that are congruent to a modulo 2^^; that is, the set of all infinite binary 
words that have common initial prefix of length k which coincides with the one of 
the (infinite) binary word a. The measure of this set is /X2(a + 2'^Z2) = 2^''. For 
example, •■•***** 0101 = 5 -I- 16 ■ Z2 = — 1/3 -I- 16 • Z2 is a ball of radius (and of 
measure) 1/16 centered at the point 5 (or, which is the same, at the point —1/3); 
all 2-adic numbers that are congruent to 5 modulo 16 comprise this ball. 

Note that the sequence (si)i^o 2-adic integers is uniformly distributed (with 
respect to the measure /i2 on Z2) if and only if it is uniformly distributed modulo 
2^^ for all k = 1,2,...; That is, for every a £ Z/2'^Z relative numbers of occur- 
rences of a within initial segment of length £ of the sequence {si mod 2^)°^q of 
residues modulo 2'' are asymptotically equal, i.e., lim^^oo ^(o, ^)/^ — 1/2*^, where 
A{a,£) = #{si = a (mod 2'"'): i < £}, see |30] for details. Thus, strictly uniformly 
distributed sequences are uniformly distributed in the usual meaning of the theory 
of distributions of sequences. Of course, considerations of the above sort take place 
for arbitrary prime p, and not only in the case when p = 2. 

The following Theorem (which was announced in [7] and proved in [1]) holds: 
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Theorem 1. For m ~ n ~ 1, a 1-Lipschitz mapping F : 17^ — > Z™ preserves the 
normalized Haar measure fip on Zp (resp., is ergodic with respect to fip) if and only 
if it is bijective (resp., transitive) modulo p^ for all k = 1,2,3, .. .. 

For n > m, the mapping F preserves the measure fip if and only if it induces a 
balanced mapping of (Z/p'^Z)" onto (Z/p'^Z)™, for all k = 1,2,3,.... 

In other words, Theorem [T] yields that 

• for a univariate T-function f , measure preservation is equivalent to bijec- 
tivity of f mod 2*^ for all k e N; 

• for a multivariate T-function F'.'E^ ^ Z™, m < n, measure preservation 
is equivalent to a balance of F mod 2'' for all k e N; 

• ergodicity of F: Zj — Z2 is equivalent to transitivity of F mod 2^ for all 
fc G N. 

This theorem imphes in particular that whenever one chooses an ergodic T-function 
/ : Z2 — > Z2 as a state transition function of an automaton and a measure-preserving 
T-function F: (Z/2'=Z)" (Z/2'=Z)™ as an output function, both the sequence of 
states and output sequence of the automaton are uniformly distributed with respect 
to the Haar measure. This imphes that reduction of these sequences modulo 2" 
results in strictly uniformly distributed sequences of binary words. Note also that 
any number that is longer than a word bitlength of a computer, is reduced modulo 
2" automatically. 

Thus, Theorem [T] points out a way to construct generators of uniformly dis- 
tributed sequences from standard computer instructions. To construct such a gener- 
ator, one must answer the following questions: What compositions of basic machine 
instructions are measure-preserving? are ergodic? Given a composition of basic ma- 
chine instructions, is it measure-preserving? is it ergodic? These questions can be 
answered with the use of p-adic ergodic theory, see papers [3 [71 [I2l 111 [U [21 [TJ [8] ; 
for complete theory and its applications to numerous sciences see monograph [?]. 

Now we recall two results from the 2-adic ergodic theory. The first one is a 40- 
year old folklore criteria of measure-preservation/ergodicity in terms of coordinate 
functions of a T-function. 

2.4.1. Criteria based on algebraic normal forms. Recall that the algebraic normal 
form (the ANF for short) of the Boolean function 4'jixoi ■ ■ ■ iXj) is the represen- 
tation of this function via © (addition modulo 2, that is, "exclusive or") and • 
(multiplication modulo 2, that is, "and", or conjunction). In other words, the ANF 
of the Boolean function -0 is its representation in the form 

i^ixo, . . . , Xj) = /3 ffi PoXo © PiXi © ... © PoAXoXi ® . . . , 

where /3,/3o,... G {Oil}. Recall also that the weight of the Boolean function ipj 
in (j -|- 1) variables is the number of (j -I- l)-bit words that satisfy ipj] that is, the 
weight is the cardinality of the truth set of the Boolean function ipj. 

Theorem 2 (Folklore). Let a univariate T-function f be represented in the form 
([1}. The T-function f is measure-preserving iff for each j = 0, 1, . . . the Boolean 
function ipj in Boolean variables XOt ■ ■ ■ iXj linear with respect to the variable Xj,' 
that is, f is measure-preserving iff the ANF of each -tpj is of the form 

'0j(xo,...,Xj) =Xj ®<l>j{xo,---,X]-i), 
where (f)j is a Boolean function that does not depend on the variable Xj ■ 
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The univariate T-function f is ergodic iff, additionally, all Boolean functions 
are of odd weight. The latter takes place iff (f>o — 1; o-nd the full degree of 
the Boolean function for j > 1 is exactly j , that is, the ANF of contains a 
monomial Xo ' • • Xj-i- Thus, f is ergodic iff ipoixo) = Xo © 1; o^nd for j > 1 the 
ANF of each ijjj is of the form 



where the weight of 9j is even; i.e., degOj < j — 1. 

For the proof of the folklore Theoreni see [H Theorem 4.39], orf^ji Lemma 4.8], 
or [50l Theorem 1]. 

Remark 1. Actually the bit-slice technique of Klimov and Shamir introduced in [22] 
is just a re-statement of Theorem [H 

We note that areas of applications of Theorem [5] are restricted: Given a T- 
function in a form of composition of basic computer instructions, most often it is 
infeasible to find its coordinate functions i>i. Thus, to determine with the use of that 
theorem whether a given composition of arithmetic and bitwise logical operators 
is bijective or transitive is possible only for relatively simple compositions like the 
mapping x i— > a; + a;^ OR C considered in |22j . The latter mapping is transitive 
modulo 2" if and only if C = 5 (mod 8) or C = 7 (mod 8); see 0] Example 9.32], 
[8l Example 3.14], or |3l Example 4.9] for the proof based on Theorem [2l 

Earlier in 1999 Kotomina [55] applied Theorem|5]to prove the following statement 
resulting in the so called add-xor generators, which are extremely fast; The T- 
function 



is transitive modulo 2" (n > 2) if and only if it is transitive modulo 4. 

The following proposition, whose proof is also based on Theorem |21 gives a 
method to construct new invertible T-functions (respectively, T-functions with a 
single cycle property), out of given T-functions: 

Proposition 1 (see [H |3] and [H Proposition 9.29]). Let F be an {n + l)-variate 
T-function such that for all zi, . . . , z„ the T-function F{x, z\, . . . , Zn) is measure- 
preserving with respect to the variable x. Then the composition 



is measure-preserving for arbitrary T-functions gi, . . . , gn and any invertible T- 
function f . 

Moreover, if f is ergodic, then f{x -\- 4,g{x)), /(xXDR (4g(a;))), f{x)+'ig{x), and 
f{x) XOR (4(7 (x)) are ergodic, for arbitrary T-function g. 

Although Theorem [5] can be applied to determine invertibility /single cycle prop- 
erty of some T-functions, it is highly doubtful that one can prove, with the use of 
Theorem [2] only, that, e.g., the following function / is a T-function that is ergodic 



V'jXxo, • ■ • , Xi) = Xi ® Xo • • • Xi-i © ^j(xo, • • • , Xi-i), 



f{x) = {... {{{{x + Co) XDR do) + ci) XOR di) + • • • 



F{f{x),2g^{x),...,2gn{x)) 



(it is!): 



(.t2 + 2.t) XOR (1/3) 
2x + i 



(x + l)AND(l/5) 



(4) f{x)^2 + - + - + 2 



( 



) 



+ 
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Therefore we need more delicate tools than Theorem [2] to study complicated 
compositions of basic machine instructions. These tools are provided by p-adic 
analysis and p-adic ergodic theory. The first one of the said tools are Mahler series. 

2.4.2. Criteria based on Mahler series. It is not difficult to see that every mapping 
/ : No — > Zp (or, respectively, f : Nq ^ Z) admits one and only one representation 
in the form of so-called Mahler interpolation series 



where {^) = x{x — 1) ■ ■ ■ {x — i + for i — 1, 2, . . ., and (p) = 1; a.i S Zp (re- 
spectively, Gi e Z), i — 0,1,2,.... This statement can be easily proved directly, 
substituting successively x = 0, 1, 2, ... to (O and solving the corresponding equa- 
tion with unknown ax- 

Foremost, if / is uniformly continuous on No with respect to the p-adic distance, 
/ can be uniquely expanded to a uniformly continuous function on Zp since Z 
is dense in Zp. Hence the interpolation series for / converges uniformly on Zp. 
The following is true (see e.g. The series f{x) = X]i^o"'(i)' ^ ^P' 

i = 0,1,2, .. .) converges uniformly on Zp if and only if lim^_j.^ = 0, where lim^ 
is a limit with respect to the p-adic distance; hence uniformly convergent series 
defines a uniformly continuous function on Zp. 

The following theorem holds: 

Theorem 3 (see [H [7] and Theorem 3.53]). The function f : Zp Zp repre- 
sented by ([5]) is compatible if and only if 



for all i = 2, 3, 4, . . .. (Here and after for a real a we denote [aj the integral part 
of a, i.e., the nearest to a rational integer that is not larger than a.) 

Remark 2. We remind that in the case p = 2 compatible functions are T-functions, 
and vice versa. 

Remark 3. Note that the number [logpij for i = 1,2,3,... has a very natural 
meaning: it is the number of digits in a base-p expansion ofi, decreased by 1. That 
is, [logp zj is a bitlength of i, decreased by I. So within the context of the paper it 
is reasonable to assume that [logpOj = 0. 

Now we can give general characterization of measure-preserving (resp., ergodic) 
T-functions: 

Theorem 4 (see and [H Theorem 4.40]). A map /: Z2 — ^ Z2 is a measure 

preserving T-function if and only if it can be represented as 



The map f is an ergodic T-function if and only if it can be represented as 



(5) 




a, = (modpLiogp^J) 





CO 



i=l 



where cq, ci, 02 . ■ . G Z2 . 
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Using the identity A(^) — (j^j^), where A is a difference operator, Au(a;) = 
u{x + 1) — we immediately deduce from Theorems |3] and |4] the following easy 
method to construct a measure preserving or ergodic T-function out of an arbitrary 
T-function: 

Corollary 1 ([7], also [H Theorem 4.44]). Every ergodic (respectively, every mea- 
sure preserving) T-function / : Z2 — >■ Z2 can be represented as 

f(x) ^l + x + 2- Ag{x) 

(respectively, as f{x) = d + x + 2 ■ g{x)) for a suitable d € 1,2 and a suitable 
T-function g : Z2 — > Z2 ; and vice versa, every function f of the above form is, 
accordingly, ergodic or measure-preserving T-function. 

Remark 4. Ergodicity of the T-function ^ can be proved with the use of Corollary 

m 

2.4.3. Why new techniques are needed. Theorems [2] and |4] give methods to con- 
struct measure-preserving/ergodic T-functions from arithmetic and bitwise logical 
computer instructions; these methods may be too difficult (or even impossible) to 
use when a T-function is a composition of both arithmetic and bitwise logical op- 
erations like masking (MASK(a;,c) — xANDc; i.e. when the composition includes i-th 
bit value functions Si{x). For instance, not speaking of more complicated composi- 
tions, it is quite difhcult to determine measure preservation/ergodicity even in the 
simplest case when / is a linear combination of Si{x): for the corresponding (rather 
involved) proof see [H Theorem 9.20] or [21. However, functions of this sort are easy 
to implement in software and hardware; moreover, they were already used in some 
ciphers, see e.g. [13]. There are other techniques in p-adic ergodic theory than 
the already mentioned ones, like the methods that exploit uniform differentiability 
(we do not mention the ones in the paper; see [H Section 4.6] about these). How- 
ever, T-functions that include compositions of bitwise logical operations are rarely 
uniformly differentiable. 

That is one of reasons why we need new techniques to handle T-functions of this 
sort. These new techniques are based on representation of T-functions in the form 
of van der Put series. 

The other reason is that using the van der Put representations turns out to 
be a general way to speed-up T-function-based cryptographic algorithms via time- 
memory trade-offs since actually evaluation of a T-function represented by van der 
Put series uses just memory calls and integer summations. 

It should be stressed however that compared to the known criteria the new ones 
are not superior in all cases, for all T-functions: An answer to the question which of 
the criteria is better to use in order to determine bijectivity/transitivity of a given 
T-function strongly depends on a composition of the T-function. In some cases 
a particular criterion just works better than others. For instance, to determine 
when a linear combination of Si{x) is transitive one may use either criteria based 
on Mahler series (Theorem , or criteria based on ANFs of coordinate functions 
(Theorem (2) or new criteria based on van der Put series (Theorem [7]). Then, ex- 
ploiting the criterion based on Mahler series results in a long involved proof (cf. [H 
Theorem 9.20]) while application of the ANF-based criterion seemingly results in 
a shorter one, whereas the use of the new criterion implies a very short proof, cf. 
Example [H We believe (and give some evidence in Section |4|) that the new crite- 
ria are most suitable for T-functions whose compositions involve numerous bitwise 
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logical instructions. However, the ANF-based criteria may be as effective (or even 
better) if a T- function is a relatively short composition of bitwise logical and/or 
arithmetic instructions, whereas the criteria based on Mahler series are seemingly 
more useful for 'classical-shaped' functions (2-adic exponential functions, rational 
functions, etc.); and for 'smooth' T-functions it is reasonable to try first criteria 
that exploit differentiability, cf. [41 Section 4.6; Subsection 9.2.2]. Moreover, re- 
sults of the current paper, after being announced (without proofs) in [9 , already 
have stimulated development of ergodic theory in the ring F2[[X]] of formal power 
series over a two-element field F2, see recent paper [SI]. Maybe the criteria devel- 
oped in the latter paper can also be applied to determine bijectivity/transitivity of 
certain T-functions as well since the metric space of all infinite binary sequences 
with the metric d2 can also be treated as the metric space F2[[X]] (rather than the 
metric space Z2). We believe that no universal 'superior' criterion exists; nonethe- 
less, every new criterion enriches researchers' toolbox making it more diverse and 
therefore giving more fiexibility when determining bijectivity/transitivity of a given 
T-function. 

2.5. Van der Put series. Now we recall the definition and some properties of van 
der Put series, see e.g. [Ml US for details. Given a continuous function / : Zp — Zp, 
there exists a unique sequence Bq, Bi, B2, ■ ■ ■ of p-adic integers such that 



(6) f{x) = ^ BraX{in,x) 



m=0 



for all X G Zp, where 



, 1, if |a;-m| <p 
Y(m, x) — < ^ , . 

'0, otherwise 



and ri = 1 if TO = 0; n is uniquely defined by the inequality p"^^ < m < — 1 
otherwise. The right side series in ^ is called the van der Put series of the function 
/. Note that the sequence Bq, Bi, . . . , B^, ... of van der Put coefficients of the 
function / tends p-adically to as m —J- 00, and the series converges uniformly on 
Zp. Vice versa, if a sequence Bq, Bi, . . . , Bm, ... of p-adic integers tends p-adically 
to as TO — > cx), then the series in the right part of ([6]) converges uniformly on Zp 
and thus defines a continuous function /: Zp — >■ Zp. 

The number n in the definition of x(to, x) has a very natural meaning; it is just 
the number of digits in a base-p expansion of m G Nq: As said (see Remark [3]), 

[logp mj — (the number of digits in a base-p expansion for to) — 1; 

therefore n — [logp mJ + 1 for all m G No (recall that we assume [logp Oj =0). 

Note that the coefficients B,n are related to the values of the function / in the 
following way: Let m = toq -|- . . . -|- m„_,2P"~^ + 'T^n-ip"~^ be a base-p expansion 
for m, i.e., mj G {0, . . . ,p — 1}, = 0, 1, . . . , n — 1 and m„_i 7^ 0, then 



(7) Br, 



/(m) - /(to - TO„_ip" ^), if m > p; 
fim), if otherwise. 
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It is worth noticing also that x(m,x) is merely a characteristic function of the ball 

B -L>o.pH-i("*) = + pL'°SpH-iZp of radius p~Li°gpH-i centered at m G Nq: 
(8) 

, , Jl, if a: EE m (modpLi°gp™J+i); _ Jl, if a; S B ..o.^H-^M; 
10, if otherwise 10, if otherwise 

3. Main results 

In this Section we prove criteria for measure- preservation/ergodicity for a T- 
function in terms of van der Put coefficients of the T-function. However, we start 
with a van der Put coefficients based criterion for compatibility of a continuous 
p-adic map Zp — !■ Zp. In the case p ~ 2 the criterion yields necessary and sufficient 
conditions for a map Z2 Z2 to be a T-function. 

3.1. The compatibility criterion in terms of van der Put coefficients. We 

first prove the compatibility criterion for arbitrary map Zp — )• Zp represented by 
van der Put series. 

Theorem 5 (Compatibility criterion). Let a function f : Zp ^ Zp be represented 
via van der Put series ([6|); then f is compatible (that is, satisfies the p-adic Lipschitz 
condition with a constant 1) if and only if \B„i\p < p^ L'°Sp ™J for all m = 0, 1, 2, . . .. 

In other words, / is compatible if and only if it can be represented as 

00 

(9) /(:r) = ^pLi°gpH6,„x(m,a;), 

for suitable bm £ Zp; m = 0, 1, 2, . . .. In particular, every T-function /: Z2 ^ Z2 
can be represented as 

00 

(10) /(x) = ^2Li°g^™J6„xKa;), 

m=0 

where bm G Z2, rn = 0, 1, 2, . . .; and vice versa, the series ()10|) defines a T-function. 

Proof of Theorem [31 To prove the necessity of conditions, take to G Nq and consider 
its base-p-expansion TO = too + . . .-|-to„_ip"^^. Here ruj G {0, . . . 1}, to„_i ^ 0, 
and n = [log^ toJ + 1 . As 

mo + ... + m„_2P""^ EE Too + ... + to„_2P""^ + m„_ip""^ (mod p""^); 
then 

/(too + . . . + TO„_2P""^) = f{mo + ... + TO„_ip"-i) (mod p"^^) 

by the compatibility of /. From the latter congruence in view of (O it follows that 
Bm=0 (mod p"-i) for m > p; so < p-HogpH. 

Now we prove the sufficiency of conditions. As \Bm\p < p^Liogp™]^ ^]^g sequence 
Bi, . . . tends p-adically to as m — 00 and so the function / is continuous. 
Hence while proving that \f{x) — f{y)\p < \x — y\p for a;, G Zp we may assume 
that a;, y G No as No is dense in Zp. Moreover, by same reasons to prove that / 
satisfies p-adic Lipschitz condition with a constant 1 it suffices only to prove that 
given a; G No and /i, n G N, \f{x + hp'"-) - f{x)\p < p"". 
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Let h = ho + hip + . . . + hep^ be a base-p expansion of h G N, and let uq < 
ni < n2 < ■ ■ . < nk he all indices in the latter base-p expansion such that 
hno,hni, ■ ■ ■ ,hnk are nonzero; so ft. = ftnoP"" + ^mP"' + •■• + hn^p"'' ■ Now in 
view of (IZl) we have that 

(11) fix + hp'') = fix) + [/(.T +p"ft„„p"«) - fix)] + 
k 

^[/(x +p"(/i„„p"" + • • • + ft„^p"0) - /(a; +p"(/j„oP"° + • • • + ft„^_,p"-0)] = 

fc 

However, by our assumption, 

SO (fTT|) implies that |/(a; + ft.p") — < p^" due to the strong triangle inequality 
that holds for the p-adic absolute value, cf. ([3|) . □ 

3.2. The measure-preservation criteria for T-functions, in terms of the 
van der Put coefficients. Now we prove two criteria of measure-preservation for 
T-functions. 

Theorem 6. Let /: Z2 -> Z2 be a T-function represented via van der Put series 
^ . The T-function f is measure-preserving if and only if the following conditions 
hold simultaneously: 

(i) Bq + Bi = 1 (mod 2); 

(ii) |B„|2 = 2-Li°S2™J^ ^^2,3,.... 

Proof. By Corollary [1] the T-function / is measure-preserving if and only if it can 
be represented in the form fix) = d + x + 2gix), where g : Z2 — > Z2 is a T-function 
and d G Z2. Now, given gix) = X)m=o ^rnXi''^j the van der Put series for the T- 
function g, we find van the der Put coefficients of the function fix) = d-\-x-\-2gix). 
As the van der Put series of the T-function t(a;) = a; is 

00 

(12) t(a;)- ^2Li°s="Jx(m,x), 

m— 1 

and eis d — d ■ x(0, x) d ■ x(l, 2:), we get: 

(13) fix) = (d -f 2Bo)x(0, x) + il + d + 2Bi)x(l, x) + 



E 

m=2 



(2Li°s^™J -f 25™) x(m,x). 



This proves necessity of conditions of the Theorem since \Bm\2 < 2 L'°S2 ™J 

by Theorem El and hence 2Li°S2™J + 2Bm = 2-Liog2™J by the strong triangle 

2 

inequality ([3]). 

To prove sufficiency of the conditions, we note that the condition |i?m|2 — 
2-Liog2 mj implies that B^ = 2L'°S2 ™J + 2i?,„ for suitable i?„ e Z2, where 

(14) Brr.. <2-Ll°g2™J 
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and the condition Bq + Bi = 1 (mod 2) implies that Bq = d + 2Bq and Bi = 
l + d + 2Bi for suitable d, Bq,Bi G Z2. Now from equations (fT3|) and (fT2|) it follows 
that f{x) = d + X + 2g{x), where g{x) = X)m=o ^) ^ T-function by 

Theorem [5] in view of inequality (jl4p . Thus, / is measure-preserving by Corollary 

m □ 

From Theorems [5] and [5] we deduce now the following 

Corollary 2. A map /: Z2 ^ is o measure-preserving T-function if and only 
if it can be represented as 

fix) = 6ox(0,x) + 6ix(l,x) + 2L'°s^"J6™x(m,a;), 

m=2 

where bm G ^2 , a'^'^ ^/le following conditions hold simultaneously 

(i) bo + bi = l (mod 2); 

(ii) 6,„ EE 1 (mod 2), m = 2, 3, 4 . . .. 

3.3. The ergodicity criteria for T-functions, in terms of the van der Put 
coefficients. In this subsection, we prove the following criterion of ergodicity for 
T-functions: 

Theorem 7. A T-function / : Z2 — > Z2 is ergodic if and only if it can be represented 
as 

00 

f{x) = 6ox(0,a;) + 6ix(l,x) + ^ 2Li°g^ ™J 6™xK x) 

m=2 

for suitable bm £ Z2 that satisfy the following conditions: 

(i) 60 = 1 (mod 2); 

(ii) 60 + &i = 3 (mod 4); 

(iii) 16^12 = 1, m>2; 

(iv) &2 + ^3 = 2 (mod 4); 

(v) ErJ2"-i &™ = (mod 4), n > 3. 

To prove the Theorem, we need the following Lemma: 

Lemma 1 ( |48j ) . Let /: Z2 — S> Z2 be a T-function represented by van der Put 
series ©. Then f is ergodic if and only there exists a sequence Oq, ai, . . . of 2-adic 
integers such that 

(15) 

1 4- 2(ai — flo), if m — 0; 

2(1 + Oq + 2a2 - fli), if m — I; 

2"-i + 2"a™+i -2"a„, i/2"-i <TO<2"-l,n>2 

2«-i + 2"+ia2" - 2"a2"_i -2"a2-^-i, i/m = 2" - l,n > 2. 

Proof. By Corollary [1] a T-function / is ergodic if and only if it can be represented 
as f{x) = 1 + .T + 2{g{x + 1) — 9{x)), where g{x) is a suitable T-function. That is, 
by Theorem [5l 

00 00 
(16) 5(2;) = aox(0, a;) + ^ 2""~^amx(™> a^) = X! ^^x{'m,x), 

m—1 m— 
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for suitable ao, ai, 02 . . . G Z2, Bq, Bi, B2, ■ ■ ■ G 1>2 (here rtm = Llog2 "^J + 1j w = 
1,2,3,...). 

Now, to prove necessity of conditions of the Lemma, we just need to express 
the van der Put coefficients of the function / via the coefficients of the function g. 
First, we do this for the van der Put coefhcients Bm of the T- function 

00 

(17) g(a; + l)= ^5„x("^,a^)- 

m=0 

If m > 1 then by d?]) 5^ = g{m+l)—g{m+l—q{m)) where q{m) = (5„„_i(to)2"'"^^. 
If m ^ 2"™ — 1 then q{m) = (7(771+1), therefore B^ = 5(777+1)— 5(777+1— g(7n,+ l)) = 
Bm+i = 2"™^^a„i-|_i by as n„i — n„i+i in this case. If 777 = 2"™ — 1 then 
Bm = .g(2"'") - .g(2"'"~i) as g(2"'" - 1) = 2""-i. As Bs- = g(2") - g(0) and 
B2„-i = 5(2"-ij - 5(0) by dill), we conclude that Ba^-i = -82-. - Ba—i- Fi- 
nally, the coefficients Bo,Bi can be found directly from pT|) : Bo = 5(1) = ^1, 
Bi — 5(2) = Bo + B2- Now we can find the van der Put coefficients B„i of the 
function 2(5(2; + 1) — g{x)); they are: 



(18) B„ 



'2{Bi-Bo), if 777 = 0; 

2{Bo + B2- Bi), if 777 ==1; 

2(Bm+i-Bm), if 2"-i < 777 < 2" - 1,77 > 2; 

2{Bm+l -Bm-B^), if 777 = 2" -1,77 > 2. 



As x(0i2;) + x(lj2;) = 1 for all a; G Z2, from ([T0| we derive the van der Put 
expansion for the function x + 1; namely. 



(19) a; + 1 = x(0, x) + 2x(l, x) + J" 2""-^x("7, x). 



From dUl) we have that Bq = oq, i?™ = 2"-ia„ when 2""! < 777 < 2" - 1, 
77 = 1, 2, . . .. Now combining the latter expressions with (|19p and (IT71) we conclude 
that the van der Put coefficients Bm of the function f{x) — l + a; + 2(5(a; + l)— 5(x)) 
arc of the form dTSl) . 

To prove sufficiency of conditions of the Lemma we just remark that the above 
argument shows that given expressions ([T5|) for the van der Put coefficients of the 
function / we can represent the T- function / in the form f{x) = 1 + x + 2(5(2; + 
1) — 5(2;)) where the van der Put expansion for 5 is given by (1141) . That is, the 
function 5 is a T-function by Theorem [SJ therefore the T-function / is ergodic by 
Corollary m □ 

Now we are able to prove the following Proposition which actually is a criterion 
of ergodicity for T-functions, in terms of van der Put coefficients: 

Proposition 2. Let /: Z2 Z2 be a T-function represented by the van der Put 
series ([6]). Then f is ergodic if and only if the following conditions are satisfied 
simultaneously: 

(i) Bo = 1 (mod 2); 

(ii) Bo + Bi EE 3 (mod 4); 



(ui) 
(iv) 



BmU = 2-("-l), 77 > 2, 2"-l < 777 < 2" - 1/ 



-'ml2 

^2"-l 



m=2"-i y-^^n - ^ } 



< 2-("+l), 77 > 2. 

2 
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Proof. By Lemma [1] if the T- function / is ergodic then its van der Put coefficients 
Bm can be expressed in the form (jisp . for suitable ao, ai, 02, . . . G Z2. From (jisp 
by direct calculation we easily prove that conditions (i)-(iv) of the Proposition are 
true. 

By Lemma (TJ to prove sufficiency of conditions of the Proposition we must find 
a sequence of 2-adic integers ao, ai, 02, . . . such that relations ()15p for the van der 
Put coefficients Bn hold. Take arbitrarily oq, ai G Z2 so that 

(20) ai - ao = ^ 

(cf. the first equation from (fT5|) and condition (i) of the Proposition); then put 

Bi + 2(ai-ao)-2 Bi + Bp - 3 

(21) a2 = ^ = ^ 

(cf. the second equation from ([T5|) ). Note that 02 S Z2 due to the condition (ii) of 
the Proposition. We construct 03, 04, 05, ... G Z2 inductively. Denote 

(22) B„i = ^„ , 

where n = Llo§2 '^J + 1, > 3; then B„i G Z2 by condition (iii). Given a2n-i G Z2, 
for a = l,2,...,2"-i - 1 put 

2"-i+a-l 

(23) a2"-i+a =02"-! + X! 

m=2"-i 

(24) 02-. =02^-1 + - ^ Bm. 

m=2"-i 

Then 0211-1+0 G ^2 by condition (iii) of the Proposition; and 02" G Z2 by condition 
(iv). Therefore all ao, ai, 02, . . . are in Z2. 

Now solving system of equations dSO]) , ([21]) , ([22]) , with respect to un- 

knowns Bm, TO = 0, 1, 2, 3, . . ., we see that the van der Put coefficients Bm satisfy 
conditions ^T5\\ of Lemma [TJ Therefore / is ergodic. □ 

Now we are able to prove Theorem [7j 

Proof of Theorem^ Consider the van der Put expansion ([6]) of the T-function /; 
then by Theorem [H B„ = 2^'^°S2 "^\bm, for suitable 6,„ G Z2. It is clear now that 
conditions (i), (ii) and (iii) of Proposition[2]are equivalent respectively to conditions 
(i), (ii) and (iii) of Theorem [71 

Take 2"-i < to < 2", n > 2; thus B,„ = T'-'^bm- Then condition (iv) of Propo- 
sition [5| is equivalent to the congruence X^^=2"-i(-^™ ^ 2"^^) = (mod 2"+^); 
which is equivalent to the congruence 2"""'^ ^^Zjli-i (^m — 1) = (mod 2"+^) as 
Bm ~ 2"^^6m- However, the latter congruence is equivalent to the congruence 
Sm=2"-i(^"i ~ 1) = (mod 4) which in turn is equivalent either to the congruence 

X]m=2"-i = ^ (mod 4) (when n > 3) or to the congruence X]m=2"-i ^™ = ^ 
(mod 4) (when n = 2). However, the latter two congruences are respectively con- 
ditions (v) and (iv) of Theorem [7| □ 
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4. Applications 

In this Section we consider some applications of the above criteria: We give a 
new (and short!) proof of ergodicity of a known ergodic T- function which is used 
in a filter of ABC stream cipher from [ll?, then we prove ergodicity of a more 
complicated T- function (the latter result is new). After that we explain how to 
use Theorem [6] (the bijectivity criterion) in order to construct huge classes of large 
Latin squares. Finally we present a knapsack-like algorithm for fast computation 
of arbitrary T-function that use only integer additions and calls to memory. 

4.1. Examples of ergodic T- functions with masking. In this Subsection we 
consider two example of ergodic T-functions constructed from additions, multi- 
plications and masking (i.e., the instruction MASK(a;,c) — x AND c). Thus, being 
implemented as computer programs both these T-functions are fast enough. 

The T-function from Example [T] is used to construct a filter in ABC stream 
cipher p^; however, the proof of its ergodicity (which is based on Mahler series 
and Theorem [4]) is highly technical and complicated, see e.g. |4j Theorem 9.20] or 
[3]. Although a shorter proof might be given with the use of ANF-based criteria 
(Theorem [21) , below we give a very short proof by applying the ergodicity criteria 
in terms of van der Put series, cf. Theorem [T] 

Let x = xo + Xi • 2 + . . . + Xfe ■ 2*^ + • • • be a 2-adic representation of a: G Z2; 
remind that we denote bk(x) ~ Xk (cf- beginning of Subsection 12. 3|) . In other 
words, the value of the function S^- '^2 ^ ^2 the point a; G Z2 is the k-th binary 
digit of the base-2 expansion of x; so J2T=o 2*'<5fc(a:) = X^feLo Xk ■ 2'^ = x. Note that 
5k{x) = 1 if and and only if x is congruent modulo 2^^^ to either of the numbers 
2'=, 2*^ -I- l,...,2'=+i - 1; so 

2'= + i-l 

(25) 5k{x)= J2 Xim,x), 

m=2'= 

as x(TO,a;) is a characteristic function of the ball Bg- lioe2 ^J-i ('^i), see ([5]). 

Example 1. Given a sequence c, Cq, Ci, C2, . • • of 2-adic integers, the series 

00 

(26) c + J^^'Mx) 

i=Q 

defines an ergodic T-function / : Z2 — > Z2 i/ and only if the following conditions 
hold simultaneously: 

(i) c = 1 (mod 2); 

(ii) Co = 1 (mod 4); 

(iii) |c,|2 = 2-% /orz = 1,2,3,.... 

Indeed, substituting (|25|) to ([26]) we obtain the series c+X^i^o Xm=2^^ xi^^ x)i 
so the van der Put coefhcients are: Bq = c, Bi ^ c -\- cq, Bm — cyiog^ m\ for m > 2. 
Now from condition (i) of Proposition[2]we have that c = 1 (mod 2); however, from 
condition (ii) of Proposition [2] we have that 2c -I- cq = 3 (mod 4) which gives us 
that Co = 1 (mod 4). Condition (iii) of Proposition [2] is equivalent to the condition 
|ci|2 = 2' for i > 1. Due to these three conditions, condition (iv) of Proposition [2] 
is satisfied since Em=2^^(c» - 2') = 2^c^ - 2^^ = (mod 2*+^) for i > 1. This ends 
the proof. 
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Note that under conditions of Example [TJ the T-function f{x) — c+^^q CiSi{x) 
can be expressed via operations of integer addition, integer multiphcation by con- 
stants, and operation of masking, MASK(x, 2*) = x AND 2* = 2^Si{x): As a = 2^di 
for suitable di G Z2, i = 0,1,2,..., by conditions (ii)-(iii), we have that f{x) — 
c + X)i^o '^i ' MASK(a;, 2*); so the corresponding T-function f — f mod 2*^ on k bit 
words is f{x) = c + X;*lo '^i ' MASK(a;, 2*). 

Note that in the just considered example the coefficients c, cq, ci, . . . do not de- 
pend on X. Now we consider a more complicated T-function of this sort where the 
coefficients depend on x. As the least non-negative residue modulo 2*^ is a special 
case of MASK instruction, x mod 2*^ — MASK(x, 2^ — 1), the T-function from Example 
[2] can be expressed via integer additions, multiplications, and masking. 

Example 2. The following T-function f is ergodic on Z2 : 

f{x) = 1 + 5oix) + 6Si{x) + + 2{x mod 2'=))2'=4(a;). 

k=2 

To prove the assertion we calculate van der Put coefficients i?^- For m G {0, 1} 
we have: 

(i) Bo - /(O) = 1 

(ii) Bi = /(I) = 2 

Given m = mg + 2mi + . . . + 2"^^m„_2 + 2"^-'^, denote m = m + 2"^-'^, n,„ = n = 
[log2 mj + 1. Then, we calculate the van der Put coefficients for the case — 2. 
As TO = Too + 2 in this case, we see that 

Bmo+2 = f{mo + 2)~ /(too) = 6; 

so B2 — B2 — 6. 

Now we proceed with calculations of _B,„ for the case rim — n > 3: 

Bm = /(to + 2"-i) - /(to) = 1 + So{m + 2"-i) + 6 ■ Si{m + 2"-^)+ 
ji-i 

+ J2 2''(l + 2((to + 2"-i) mod 2'^)) • Skim + 2"-^) - /(to) = 

k=2 

= f{m) + 2"-i(l + 2to) - /(to). 
So we conclude that if n„i > 3 then 

= 2"-1(1 + 2to), 

where to = too + 2toi + . . . + 2"^^to„_2- Finally we get: 

(i) So = 1 = 1 (mod 2); 

(ii) Bo + -Bi = 1 + 2 = 3 (mod 4); 

(iii) \Bm\2 = |2"'"-i(l + 2to)|2 = 2-(""-i) for 7i,„ > 3, and 

|i?2|2 = |S3l2 = |6|2=2-l,n2=n3 = 2. 
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(iv) For Um = 2, we have that \{B2 - 2) + {B3 - 2)\^ ^ 2-(2+i); and for 



n > 3, we have that 



2"-l 



E 



Tn+2"-i 



m=0 



^ (2"-i(l + 2m) -2"-^ 
. (1 + 2 



m— 



2" E - 



rn=0 



(2"-^ - 1) 



< 2-("+i). 



Therefore, under conditions of Example [5] the T-function / is ergodic by Proposi- 
tiorO 



4.2. Latin squares. In this Subsection we explain how one may use the bijectivity 
criterion (Theorem |6]) to construct Latin squares of order 2^. We recall that a Latin 
square of order P is a, P x P matrix containing P distinct symbols (usually denoted 
by 0,1,...,P — 1) such that each row and column of the matrix contains each 
symbol exactly once. Latins squares are used in numerous applications: For games 
(recall sudoku), for private communication networks (password distribution), in 
coding theory, in cryptography (e.g., as stream cipher combiners), etc., see, e.g., 
monographs [T^[55| . 

There is no problem to construct one Latin square (a circulant matrix serves an 
obvious example), a problem is how to write a software that produces a number of 
large Latin squares; however, this is only a part of the problem. Another part of the 
problem is that in some constraint environments (e.g., in smart cards) the whole 
matrix can not be stored in memory: Given two numbers a, 6 € {0, 1, . . . , P — 1}, 
the software must calculate the (a, &)-th entry of the matrix on-the-fly. 

A number of methods have been developed in order to construct Latin squares, 
see e.g. the monographs we refer above; however, not all of the methods provide 
solution to the said problem since the methods are based on mappings which are 
somewhat slow if implemented in software (as, e.g., are polynomials over large finite 
fields). Therefore new methods that are based on 'fast' computer instructions are 
needed. Methods of the latter sort have been developed by using the 2-adic ergodic 
theory, see [H Section 8.4] where the said theory is applied to construct Latin 
squares as well as pairs of orthogonal Latin squares. The methods of the mentioned 
monograph are based on differentiability of p-adic mappings; by using Theorem |5J 
methods based on van der Put series can also be developed. We illustrate the 
general idea by a simple example. 

A Latin square of order P is just a bivariate mapping F: {Z/PZ)"^ — >■ Z/PZ 
which is bijective with respect to either variable. Therefore, given a pair of bijective 
(measure-preserving) T- functions 



fix)=J2 2L^°«^^"J6™x(m,a;) and f{y) = 2^'°^^ ^mX(m, y) 

m=0 



rn=0 
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whose van der Put coefficients satisfy Corollary [2j the function 

oo 

F{x,y) = [Yl 2^'°*^='"^ +^mX(™,2/))) mod/ 

is a Latin square of order 2^. The idea can be developed further; however, this 
implies expanding of the apparatus of van der Put series to the multivariate case. 
Development of the corresponding theory can be a subject of a future work but 
now it is out of scope of the current paper. We note only that in order to obtain 
really fast performance of the corresponding software, methods of fast evaluation of 
T-functions are needed. We introduce a method of that kind in the next Subsection. 

4.3. Fast computation of T-functions. In this Subsection we demonstrate how 
by using the van der Put representation of a T-function one could speed-up evalu- 
ation of the T-function via time-memory trade-offs. 

Let a T-function / be represented via van der Put series ([6]) ; then the respective 
T-function on fc-bit words is 

2'"-l 

(27) / = / mod 2^^ = ^ S^x(™, x) 

m=0 

by Theorem m see ([TOl) . Arrange coefficients _Bm, m = 0,1,...,2'= - 1 into array 
B{f) = [Bjn ■ m = 0, 1, . . . , 2*-' — 1]; so the address of the coefficient Bm is m, m = 
0, 1, . . . , 2*^^ - 1. From ^ and ^ it follows that the value /(x) of the T-function 
/ at a; € {0, 1, . . . , 2*^ — 1} is equal to the sum modulo 2'^ of coefficients Bm for 
m = X mod 2, x mod 4, . . . , x mod 2^^; so to calculate the output /(x) given input 
x G {0, 1, . . . , 2'^ — 1} one needs k — 1 additions modulo 2^ and k calls to memory. 
To calculate f{x) the following procedure may be used (note that MASK(a;, 2^ — 1) = 
X mod 2^ ): 

if MASK(a;,l)>l then S := Bi 

else S := Bo; 

i 1; 

C:if i = fc then f{x) := S and STOP 
else i :~ i + 1 ; 
if MASK(x, 2* - 1) > 2*^1 then S := S + S„ask(t.2'-i) ; 
repeat C. 

It can be easily seen that to compute f{x) the procedure uses k memory calls 
to retrieve relevant coefficients Bm, k compare instructions > / ^ of integers, k 
maskings MASK, and fc — 1 integer additions. Note that if necessary the compare rou- 
tine MASK(x, 2* — 1) > 2*^^ may be replaced with the routine to determine whether 
MASK(a;, 2*~^) is or not; however this doubles the total number of maskings. Note 
also that given arbitrary measure-preserving (respectively, ergodic) T-function /, 
the array B{f) consists of 2^^ integers which may be too large in practical cases. If 
so, arrays where most entries Bm are 2L'°S2"*J niay be used then (cf. condition (ii) 
of Theorem ini and condition (iii) of Proposition [31 respectively): In this case, most 
entries must not necessarily be kept in memory, they can be calculated on-the-fly 
instead, by a suitable fast routine. In connection with the issue it would be in- 
teresting to study other cryptographical properties of measure-preserving/ergodic 
T-functions whose van der Put coefficients comprise arrays of this kind. 
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5. Conclusion 

In the paper, we present new criteria for a T-function to be bijective (that 
is, measure-preserving) or transitive (that is, ergodic). In the proofs techniques 
from non-Archimedean ergodic theory are used: The new criteria are based on 
representation of a T-function via van der Put series, special series from p-adic 
analysis. We note that the criteria are not 'globally' superior to other known criteria 
(e.g., the ones based on Mahler series or on ANFs of coordinate functions): being 
necessary and sufficient conditions for the bijectivity /transitivity of T- functions, 
all the criteria (speaking rigorously) are equivalent one to another. However, some 
criteria are easier to apply to some particular types of T-functions than the other 
criteria. In the paper we give an evidence that the criteria based on van der Put 
series are most suitable to determine bijectivity /transitivity of a T-function whose 
composition includes machine instructions like, e.g., masking. We also use the 
van der Put series to construct a knapsack-like algorithm for fast evaluation of 
T-functions via time-memory trade-offs. 
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